DESCRIPTION
With no FILE, or when FILE is -, read standard input.
-b, —binary read in binary mode -c, —check read checksums from the FILEs and check them —tag create a BSD-style checksum -t, —text read in text mode (default) -z, —zero end each output line with NUL, not newline, and disable file name escaping
The following five options are useful only when verifying checksums:
The sums are computed as described in FIPS-180-2. When checking, the input should be a former output of this program. The default mode is to print a line with: checksum, a space, a character indicating input mode (‘*’ for binary, ‘ ‘ for text or where binary is insignificant), and name for each FILE.
Note: There is no difference between binary mode and text mode on GNU systems.
AUTHOR
Written by Ulrich Drepper, Scott Miller, and David Madore.
REPORTING BUGS
COPYRIGHT
Copyright © 2023 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html.
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
SEE ALSO
Full documentation https://www.gnu.org/software/coreutils/sha256sum
or available locally via: info ‘(coreutils) sha2 utilities’
| April 2023 | GNU coreutils 9.3 |
Powered by archmanweb, using mandoc for the conversion of manual pages.
The website is available under the terms of the GPL-3.0 license, except for the contents of the manual pages, which have their own license specified in the corresponding Arch Linux package.
How to take sha256sum of file and compare to check in one line?
I keep on finding myself wanting to download and check the integrity of the download immediately in a script, but I haven’t been able to find the right incantation of sha256sum .
How can I take the sha256sum of a new file and compare it with a known hash immediately?
9 Answers 9
I have downloaded an archive file and an accompanying checksum file. Here is how I verify that the hash of the downloaded archive matches the hash from the downloaded checksum file:
The —status flag prevents all stdout output (more effective than —quiet ). I then need to rely on the return code to determine if they matched, which is what I want anyway since I’m going to be using this in a script.
You can see that sha256sum —check takes the output of a previous (regular) sha256sum run: it takes hashes and filenames via stdin, and compares them against actual files.
So the obvious thing to do is to manually give it the output in the format it wants:
Example:
In case you have the sha256sum file, you can directly use it:
Explanation:
In the above example, you have
sha256sum -c option can either read the SHA256 sum from a sha256sum file or from STDIN . In case you don’t have the sha256sum file, then using the echo command you can provide the same details contained in a sha256sum file.
In case you have the sha256sum file, you can directly use it:
Note:
Alternatively, you can use shasum -a 256 instead of sha256sum where -a specifies the algorithm to be used.
All about checksums, including basic info. and usage
DETAILS:
1. Background info
Note: you can use sha256sum or sha512sum in any of the examples below. These are the recommended and most-robust cryptographic checksums, with sha512sum , of course, being stronger.
There is also md5sum , but it isn’t as robust, but is still commonly used for data integrity checks. Whenever possible, I recommend you use sha256sum or sha512sum instead. Wikipedia states that md5sum is still good for data integrity checks, but is "no longer deemed secure" and shouldn’t be used for cryptographic purposes. So, just use sha256sum or sha512sum above, instead.
There are even more, however. Here is a list of the various checksum program you can technically use in any of the examples below:
2. Get the checksum of a file:
Notice that the output of the sha256sum command is the numerical checksum hash followed by the file name this checksum corresponds to. You can store this checksum into a file named sha256sum.txt like this:
3. Compare the checksum of a file against a previously-stored or already-known checksum:
Now, assuming you want to check the integrity of the file against this known checksum in that file, you can test the file again like this:
You can also manually pipe these things (the expected checksum hash and filename) to the checksum program, like this. This is really useful for when you need to check a downloaded file against a known checksum published online where you downloaded it. This way you can check for data integrity to ensure the downloaded file was downloaded successfully.
Example of option 1 just above:
4. To compare the checksum of file1 to file2 :
Sometimes you have two downloaded files, or two copies of what you think are the same file, and you just want to ensure they are in fact the same (or different). Building on the information above, there are a few ways to do this.
Manually check the checksum of each file, manually looking at the hashes to ensure they match:
OR [RECOMMENDED] automatically test file1 against file2:
The way this works is that first it checks the checksum of file1, piping the output (hash and filename) to gawk , which is the GNU version of awk , which is a pattern-matching and text processing language. The gawk ‘< print $1 >‘ command simply says to strip the first space-separated text field (indicated by $1 ), and retain it only. That’s the checksum hash from file1. Then, we append the path/to/file2 and pipe this whole thing to be checked, as done previously above.
In effect, we are tricking the checksum program into thinking we have a previously-obtained hash from file2, and we’d like to check it against a newly-calculated hash from file2. Since we used the hash from file1, however, but the filename of file2, we know that if it passes it is really saying file1 and file2 have the same hash, and are therefore identical files.
A shortcut script that helps verify sha256 sums faster
The script is based on sha256sum utility and allows to compare SHA 256 sums without downloading a file with the sum.
How to install
Option 1: Download the sha256 script and add it to your PATH variable.
Option 2: Add the following function to your .bashrc or .zshrc file: shell script sha256()
Make sure you have sha256sum utility installed.
How to use
You can compare SHA 256 sums in the following way: shell script sha256 <expected-sha-256-sum> <name-of-the-file>
How to verify the sha256 checksum of a file on Linux
It is often unsafe to download files from the internet, which is often dangerous. It is also necessary to download these files for some vital work. Thousands of such files are also downloaded by millions of people. Therefore, such files ought to be protected especially well.
This article will learn about checksum and verify the sha256 checksum of a file on Linux.
Prerequisites
- Terminal (non-sudoers can easily work there)
- Validate the checksum file (it is necessary)
- ISO file (downloaded)
What is SHA256?
According to the U.S. National Security Agency, this algorithm is part of the SHA2 family of algorithms. The acronym SHA stands for ‘Secure Hash Algorithm,’ and 256 is the number of bits used in these algorithms.
What is SHA256 Checksum?
It is a cryptographic signature of any file that it can use to identify or detect errors introduced during transmission or storage. A checksum measures the size of a block of digital data. It uniquely represents a file that is a string. Linux has several mathematical algorithms to generate a checksum for a file.
Typically, on the internet, the SHA256 checksum is provided as a string directly in the main file or as a text file in the download section. Through the original checksum file, we can verify the checksum with the Checksum Utility tool.
How to Generate Sha256 Checksum?
A checksum algorithm generates a checksum. There are various checksum algorithms.
- Secure Hash Algorithms and variants (SHA-1, SHA-2, etc.)
- MD-5 Algorithm
The secure hash algorithm generates a checksum value by breaking the file’s data into smaller chunks, creating a hash value for each part, and adding them.
SHA256 creates the digest or hash value of the file, and once the file is tampered with or modified, the original SHA256 digest value is changed.
How to Verify SHA256 Checksum with sha256sum
We can verify sha256 checksum in two ways,
- Command-line utility sha256sum
- GUI method
Command-Line Method
There are tools available in each Linux distribution for different checksum algorithms. We can verify and generate the checksum using these tools. Some command-line checksums are as follows.
Apart from all this, sha384sum, sha224sum, etc., are also available, which use similar command formats. Here we will verify the checksum with the help of sha256sum using “OpenSUSE Leap 15.2”.
Command-Line utility SHA256sum
We do not need to perform any installation for sha256sum as it is a part of GNU Coreutils. Checksum files are available for download from most distributions with ISO files.
We will download the OpenSUSE Leap 15.2 ISO file first and then download its checksum with the help of the wget command. It is worth noting that along with ISO files, the text file ‘SHA256SUMS’ is also provided and contains checksum values.
Once the checksum is downloaded, we can generate the checksum with the help of the below-mentioned command.
The command with the ‘-c’ flag is run to compare the checksum with the value in the SHA256SUMS file. The filename and checksum compare all the files in the directory with the corresponding filename and calculate each file’s checksum.
Based on the ISO file’s checksum, we can see it matches the original file. We received OK in the output, which means that the file downloaded is not corrupted and tampered with. As a result, we can see that no files have been tampered with or modified during the download.
If ‘Fail’ is written in the output instead of ‘OK,’ it shows that our file is corrupted and tampered with while downloading it. We have to download the file back; otherwise, we cannot download the respective distribution.
GUI Method
With the help of GtkHash, we can use a graphical method to verify the checksum. It can verify checksums by using GtkHash, which supports MD5, SHA, and other checksum algorithms.
Installing GtkHash on Ubuntu
We can easily install GtkHash in our Ubuntu system by simply running the command written below:
That’s all we need to do. Select the checksum algorithm of our choice.
- In the menu, select Edit > Preferences.
- Choose the ones we want to use.
- Click the Close button.
Using GtkHash
The application is relatively easy to use.
- The first thing we need to do is select the file to be reviewed.
- Afterward, enter the checksum value found on the website in the check box.
- Press the Hash button.
- It generates the checksum value with our chosen algorithm.
- If the check box matches any of them, it shows a small tick mark next to it.
Conclusion
In this article, we have seen how checksum accurately detects corrupt files. It is so accurate that if we replace or delete a character from any text file inside the ISO image, the checksum algorithm generates an entirely different value for that changed image. We hope that you have understood everything well from this article.
About the author
Prateek Jangid
A passionate Linux user for personal and professional reasons, always exploring what is new in the world of Linux and sharing with my readers.